exos universal port 1371

Click here to load reader

Post on 07-Aug-2018

228 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 8/21/2019 EXOS Universal Port 1371

    1/59

    Extreme Networks Configuration Guide

    ExtremeXOS™

    Universal PortConfiguration Guide

    Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved.

     

  • 8/21/2019 EXOS Universal Port 1371

    2/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

     

    Extreme Networks White PaperExtreme Networks Configuration Guide

    Table of Contents

    1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    Profiles and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    Static Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    Dynamic Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    2 Profile Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    3 Types of Dynamic Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    Device Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    Link Layer Discovery Protocol (LLDP or 802.1AB) and LLDP-MED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Sample information provided through LLDP about an IP phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

    How Device Detection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

    Network Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    802.1x IEEE Standards-based Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    Web-based Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    MAC-based Network Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    How User Profiles Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

    Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    Trigger Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

    4 Universal Port Commands and Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Universal Port Command Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Universal Port Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Common Variables for all Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Variables for Device Detect Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

    Variables for User Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    5 Configuration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Configuration for Device Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

    Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Configuration for User Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

  • 8/21/2019 EXOS Universal Port 1371

    3/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration GuideExtreme Networks White PaperExtreme Networks Configuration GuideExtreme Networks Configuration Guide

    Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    Configuration for Time-of-day Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    6 Universal Port Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Configuration Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

    Create New Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

    Test the Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    Deploy the Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

    Track Profile Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

    Redeploy a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

    To Import a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

    Customize an Existing Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

    7 Example Universal Port Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

    Static Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

    Timer Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

    Generic VoIP LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

    Generic VoIP 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

    Avaya VoIP 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

    Dynamic Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

    Video Camera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

  • 8/21/2019 EXOS Universal Port 1371

    4/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    1. Overview

    The ExtremeXOS™ Universal Port framework enables the

    switch to take actions based on events. Leveraging the

    ExtremeXOS CLI scripting capability, Universal Port

    activates profiles that are created and managed either

    manually via the ExtremeXOS CLI or through the

    EPICenter® Universal Port Manager.

    Universal Port is primarily used for simplifying edge

    configuration but can be used for other tasks such as

    automating conflict resolution.

    The Universal Port framework is embedded in all

    Extreme Networks switches that run on the ExtremeXOS

    operating system with an Edge License or higher.

    The EPICenter Universal Port Manager is a simple-to-use

    GUI that supports editing and debugging, mass deployments

    and updates, and can also run audits on Universal Port

    profiles and modules in the network.

    Profiles and Policies

    Universal Port has two types of profiles: Static and Dynamic.

    Profiles must not be confused with policies. Policies are

    special cases for a profile. A policy usually implies a security

    rule that takes action on traffic flows. A profile is a variable

    command set that can take action based on different types

    of events. For example, a profile can automatically provision

    a VoIP phone and the attached switch port with appropriate

    power and Quality of Service (QoS) settings.

    Static ProfilesStatic profiles are port profiles that include port settings,

    including Access Control Lists (ACLs), rate limiting, rate

    shaping, QoS, VLAN, interface speed, Power over Ethernet

    (PoE) budget, etc.

    Static profiles are not limited to individual ports but can

    include system wide configuration changes.

    Static profiles are default settings, and are NOT event

    driven. Static profiles are assigned to a port and are not

    specific to a device or a user. Static profiles are default

    settings or baselines for ports, leveraging ExtremeXOSscripting.

    Before ExtremeXOS introduced scripting capabilities, when

    an administrator needed to make a network change, the

    administrator had two choices.

    Open up a Telnet or console session, then issue the1.

    commands directly into the CLI ad-hoc.

    Use a template and modify the template with required2.

    changes, then paste the commands into a Telnet or

    Console session.

    By using profiles, other options are available. Static profiles

    provide the ability to create common templates and deploy

    these templates on demand. Because the configuration

    changes made from static profiles are saved in the configu-

    ration file, changes are permanent and remain after a

    reboot. This is sometimes also referred to as CLI Persistent

    Mode.

    Dynamic ProfilesDynamic profiles are special scripts that incorporate

    runtime variables that provide information about trigger

    events. Because dynamic profiles are event or action driven

    and do not require administrator invocation, network

    changes can be automated.

    Universal Port currently supports the following trigger

    events:

    Device discovery•

    User or standards-based authentication•

    Time of Day•

    Dynamic profiles can be activated automatically based on

    what is connecting to the network or who is logging onto

    the network. The flexibility of Universal Port saves configu-

    ration time while protecting the network from configuration

    errors.

    Before the advent of Universal Port, when devices were

    added, moved, or changed, IT personnel had to be available

    to place equipment and then configure both the network

    port and the new device. These tedious tasks typically took

    a long time, did not support mobility and were prone to

    human error.

    Configuration changes are applied to or removed from a

    port based on profiles activated or deactivated by a trigger.

    When a trigger event occurs, a profile associated with the

    trigger is executed.

    Triggers respond to events such as device detection using

    LLDP, user authentication onto the network via network

    login, or a timer event. Data from these events can be used

    to select specific profiles and even make decision points

    within profiles. A typical example is the use of a RADIUS

    server to specify a particular profile and then applying

    port-based policies to that user based on location.

    Information passed to Dynamic Profiles can be saved in

     variables. When a setting is activated, to roll back to the

    previous default setting, some information must be saved,

    such as the default VLAN setting or the default setting on a

    port. Essentially anything modified from the previous

    setting can be preserved for future use.

  • 8/21/2019 EXOS Universal Port 1371

    5/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    Dynamic Profiles are temporary states. When a device appears

    at an edge port, a triggering event occurs that applies a profile

    to the port and configures appropriately. Examples of configu-

    ration parameters include VLAN, QoS, ACL, PoE and IP

    Security. When the device is no longer connected, another

    triggering event occurs to reverse the configuration parame-

    ters applied.

    There is no need to save the configuration change caused by

    the Dynamic Profile in the switch configuration; after a rebootthe device is detected and the Dynamic Profile triggered again.

    This temporary state is critical. Imagine a situation where the

    profile for Dynamic Security policies was used. If the informa-

    tion granting access to specific resources in the network were

    saved in the configuration, and a reboot performed with the

    user losing network connectivity, that particular security policy

    would be set in stone and anybody else coming onto the

    network would have access to these network resources simply

    by plugging into that port.

    Dynamic Profiles are triggered and applied based on an event.

     Another event such as the disappearance of a device, some-body logging out, or a reboot clears the state.

    2. Profile Rules

    Both static and dynamic Universal Port profiles have the

    following restrictions:

    Profiles cannot exceed 5000 characters.3.

    Only 128 Universal Port profiles are allowed per switch.4.

    Profiles are stored as part of the switch configuration file.5.

    Typing and cutting-and-pasting are the only methods to6.

    transfer profile data using the CLI.

    Unless explicitly stated with the command7. congure

    cli mode persistent, configurations set by Universal

    Port profiles are non-persistent and cannot be saved to the

    switch configuration file.

    Note: Setting configuration changes invoked by a profile8.

    to be non-persistent allows for rollback changes. Rollback

    changes enable ports to return to initial states in the case

    of a reboot or power cycle.

    3. Types of Dynamic Profiles

    Dynamic profiles are applied to or removed from a port based

    on an activation or deactivation trigger. When a trigger event

    occurs, a profile script associated with the trigger is executed.

    The following events are trigger events:

    Device Detection based on discovery protocols such as•

    IEEE 802.1ab LLDP and ANSI/TIA-1057 LLDP-MED for

     Voice-over-IP (VoIP) phone extensions

    User-based Login defined by standards-based authentica-•

    tion such as a Network Login framework with 802.1x

    support, web-based login or MAC-based Network LoginTimer events•

     A user can assign Dynamic Profiles to a trigger event via the

    ExtremeXOS CLI or the EPICenter® Universal Port Manager.

    Dynamic Profile supported commands include VLAN port

    assignments, QoS settings, rate limiting capabilities of the port,

    PoE budget and dynamic ACLs. These parameters are not

    saved in the switch configuration.

    When using dynamic user-based security policies, implementa-

    tion details are stored directly in the switch. There is no

    dependency on anything in the critical path. After a RADIUSserver is configured and running, the RADIUS server specifies

    the policy to be applied as part of the authentication response

    packet via a RADIUS Vendor Specific Attribute (VSA). The

    switch takes this information and executes the correct

    Dynamic Profile.

    Note: The RADIUS server can be in proxy mode with

    information stored in a central directory service such

    as LDAP or Active Directory.

    Note: There is no profile hierarchy, which means users must

     verify there are no conflicting rules in static anddynamic profiles. This is a normal requirement for

     ACLs, and is standard when using policy files or

    dynamic ACLs.

    To test a profile or execute a profile, use the following run upm

    profile command:

    >>run upm prole {event

    } {variables }

    Example:

    run upm prole afterhours

    If the variables keyword is not present but an event variable is

    specified in the profile, the ExtremeXOS operating system

    prompts for environmental variables appropriate to the event,

    including the VSA string for user authentication.

    Note: Variables are not validated for correct syntax.

    To view profile history, use the show upm history command.

    show upm history

    Example:

    show upm history

    Device Detection

     A variety of different devices can be connected to a port. When

    devices connect to the network, the Universal Port helps

    provide the right configuration at the port.

    Devices are detected and undetected as trigger events. Link

    Layer Discovery Protocol (IEEE 802.1AB, LLDP) is one of the

    predominant methods that use this trigger.

  • 8/21/2019 EXOS Universal Port 1371

    6/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    E911 Emergency Call Service location is automatically updated

    from the phone’s new port.

    The lack of location identification information has at times

    hindered the adoption of VoIP. LLDP-MED solves this problem

    and it is expected to become mandatory in all VoIP

    deployments.

    The following LLDP-MED extensions provide VoIP-specific

    information as well as allow transmission of configuration andlocation information to VoIP phones.

    Network Policy (which VLAN tag, .1p, DSCP, for the•

    phone to use)

    ECS Location ID (for E911 – coordinates or street/ •

    building/floor address), compliant with NENA and

    TIA-TSB-146 directions, the switch advertises a configu-

    rable physical location information to the phone

    Extended Power-via-MDI (finer grain PoE budget•

    requirement, in Watts)

    Inventory information such as firmware version, serial•

    number, etc

    Note: Avaya and Extreme Networks have developed a series

    of extensions for submission to the standards

    consortium for inclusion in a later version of the

    LLDP-MED standard.

     Avaya Power conservation mode•

     Avaya file server•

     Avaya call server•

    There can only be one profile for the device-detect

    event trigger per port. This is important because there is no

    capability or external entity such as a RADIUS server that

    distinguishes the connecting device as part of the event

    trigger. Instead, the switch receives this information as part of

    the event data itself. Because individual ports can only have

    one device-detect profile, if-then-else statements in

    profiles along with detailed information provided through

    LLDP can be used to distinguish between connecting devices.

    For example, Voice-over-IP (VoIP) phones can send and

    receive information in addition to normal device identification

    information. The information sent through LLDP can be used

    to identify the maximum power draw of the device. The switch

    can then set the maximum allocated power for that port.

    If the switch does not have enough PoE left, the switch can

    advise certain handsets to switch to a lower power mode and

    try again. The switch can also transmit additional VoIP files and

    call server configuration information to the phone so the phone

    can register itself and receive necessary software and configu-

    ration information.

    Link Layer Discovery Protocol (LLDP or802.1AB) and LLDP-MED

    Link Layer Discovery Protocol (LLDP or 802.1AB) is an IEEE

    standard that allows devices to exchange information about

    themselves to connected devices.

    Similar to Extreme Networks Discovery Protocol (EDP) or

    Cisco Discovery Protocol (CDP), LLDP defines a standard

    method for Ethernet network devices such as switches,

    routers, wireless LAN APs, IP phones, and any other network

    attached device to advertise information about themselves.Information about the device such as device configuration,

    capabilities, identification and software version can be

    advertised. This information is passed along using Type Length

     Value (TLV) fields within LLDP advertisements.

    LLDP defines a set of common advertisement messages, a

    protocol for transmitting the advertisements and a method for

    storing the information contained in received advertisements.

    LLDP is an extensible standard, providing a framework for

    industry consortiums to define application specific extensions

    without causing compatibility issues. The ANSI/TIA-1057

    LLDP-Media Endpoint Discovery (LLDP-MED) standard

    defines extensions specifically for VoIP.

    The switch can advertise VLAN information and Quality of

    Service 802.1p marking service to the phone, and it can also

    advertise where the phone is actually connected to the wall

     jack. That location is called the E911 Emergency Call Service

    location, which represents a physical location using IETF

    standard formats, NOT just port information. The E911

    emergency call service location can be configured on the

    switch port and used later to advertise the call location in case

    of an emergency call. Should a phone be moved, the phone’s

  • 8/21/2019 EXOS Universal Port 1371

    7/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    Sample information provided through LLDP about an IP phone

    LLDP Port 1 detected 1 neighbor

      Neighbor: (5.1)192.168.10.168/00:04:0D:E9:AF:6B, age 7 seconds

      - Chassis ID type: Network address (5); Address type: IPv4 (1)

      Chassis ID : 192.168.10.168

      - Port ID type: MAC address (3)

      Port ID : 00:04:0D:E9:AF:6B

      - Time To Live: 120 seconds  - System Name: “AVAE9AF6B”

      - System Capabilities : “Bridge, Telephone”

      Enabled Capabilities: “Bridge, Telephone”

      - Management Address Subtype: IPv4 (1)

      Management Address : 192.168.10.168

      Interface Number Subtype : System Port Number (3)

      Interface Number : 1

      Object ID String : “1.3.6.1.4.1.6889.1.69.1.13”

      - IEEE802.3 MAC/PHY Conguration/Status

      Auto-negotiation : Supported, Enabled (0x03)

      Operational MAU Type : 100BaseTXFD (16)

      - MED Capabilities: “MED Capabilities, Network Policy, Inventory”

      MED Device Type : Endpoint Class III (3)

      - MED Network Policy

      Application Type : Voice (1)

      Policy Flags : Known Policy, Tagged (0x1)

      VLAN ID : 0

      L2 Priority : 6

      DSCP Value : 46

      - MED Hardware Revision: “4625D01A”

      - MED Firmware Revision: “b25d01a2_7.bin”

      - MED Software Revision: “a25d01a2_7.bin”

      - MED Serial Number: “061622014487”

      - MED Manufacturer Name: “Avaya”

      - MED Model Name: “4625”

      - Avaya/Extreme Conservation Level Support

      Current Conservation Level: 0

      Typical Power Value : 7.4 Watts

      Maximum Power Value : 9.8 Watts

      Conservation Power Level : 1=7.4W

      - Avaya/Extreme Call Server(s): 192.168.10.204

      - Avaya/Extreme IP Phone Address: 192.168.10.168 255.255.255.0

      Default Gateway Address : 192.168.10.254

      - Avaya/Extreme CNA Server: 0.0.0.0

      - Avaya/Extreme File Server(s): 192.168.10.194

      - Avaya/Extreme IEEE 802.1q Framing: Tagged

    Note: Because LLDP is tightly integrated with IEEE 802.1x authentication at edge ports, when used together, LLDP informa-

    tion from authenticated end point devices is trustable for automated configuration purposes. This tight integration

    between 802.1x and LLDP protects the network from automation attacks.

  • 8/21/2019 EXOS Universal Port 1371

    8/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    How Device Detection Works

    Figure 1 illustrates how dynamic profiles work with device

    detection. There are two aspects shown in the illustration.

    Preparation is on the left and typically is only used occasion-

    ally, when rolling out a new network or updating profiles. The

    right side shows ongoing operations.

    Preparation

    The administrator pushes out the device profile to the

    network; it will be stored on the switch and enabled for

    specific ports. A profile can be either downloaded from an

    Extreme Networks website, received from another

    Extreme Networks user or partner, written by

    Extreme Networks professional services, or written by the

    end user. A dynamic device profile can also be a customiza-

    tion of an existing profile, e.g., Universal Port HandsetProvisioning Module.

    Profiles can be written using any editor; they can be

    cut-and-pasted or typed into the CLI or they can be created

    using a sophisticated GUI such as the EPICenter Universal

    Port Manager. The Universal Port Manager provides several

    types of templates that can be stored and customized.

    Dynamic device profiles can be pushed out onto the

    network to entire lists of ports for massive deployments.

    When it is time to update or enhance these profiles, the

    Universal Port Manager can be used to refresh the same set

    of ports quickly.

    Operation

    During runtime, an end user can walk up and plug in a VoIP

    phone. Once the phone is plugged in, the user enters a

    personal username and password, which was provided with

    the phone. The phone starts 802.1x authentication

    supported by the latest firmware releases from vendors

    such as Avaya and Mitel.

    This authentication step protects the network from

    spoofing attacks that can occur if authentication is not

    performed before advertising who is there. This method is

    much more secure than unauthenticated discovery.

    Extreme Networks recommends using 802.1x-authenticat-

    ed LLDP; however, because the Universal Port framework

    is very flexible and the profiles can be customized, unau-

    thenticated LLDP can be used as well, for example, as part

    of testing and debugging.

     After a successful authentication event, the switch enables

    LLDP and starts interpreting the information sent by thephone. The phone specifically advertises its PoE budget

    needs, its serial number that can be used for inventory

    purposes, and detailed model information. This information

    allows the switch to configure the edge port automatically

    and appropriately. The switch can now allocate the PoE

    budget, move the port into the voice VLAN, and configure

    QoS for voice on the port.

    In the last step, the switch also begins advertising informa-

    tion to the phone. With this additional information, the

    phone goes through a boot-strap mechanism to tag traffic

    for QoS as well as VLAN, and to find the call server todownload additional configuration information. The phone

    now has its physical location based on the E911 emergency

    location information advertised by the switch.

    User Authentication

    User authentication profiles are used for network access

    security.

    Universal Port integrates with ExtremeXOS Network Login

    user authentication to support three authentication methods.

    802.1x IEEE standards-based Network Login•

    Web-based Network Login•

    MAC-based Network Login•

    Multiple user profiles can be applied to a port or a group of

    ports. This means that a port can have one device profile and

    multiple user profiles.

    User profiles can be assigned to a port or a port list easily using

    the EPICenter Universal Port Manager. User profiles can be

    mass deployed out onto the network and be assigned to every

    single port in the network if required.

    By assigning user profiles to a port list, security policies can

    follow the user as he roams around a campus. For example, an

    engineer can walk from Building 1 to Building 5, plug his PC

    into the network and be authenticated. Based on that, he

    automatically receives certain access rights and ACLs.

    Note: In most cases, User-based really means user group-

    based. Most Security IT managers define groups of

    users with the same access rights. This makes

    managing network privileges easy. In this case, a user

    group has one profile name sent to the switch during

    authentication.

    Administrator configures

    VoIP policies (VoIP VLAN,

    Dot1p priority, etc.)

    Administrator pushes

    policies to switch

    After 802.1x authentication,

    phone sends LLDP message

    with model, PoE, serial

    number, etc.

    Switch configures VLAN,

    Dot1p priority, ACLs and PoE

    on the port

    Administrator

    Preparation Operation

    1

    3

    4

    Switch sends VLAN,

    Call Server, E911 location,

    QoS, etc. to the phone

    5

    2

             `

    5119-01

    Figure 1: Device Detection

  • 8/21/2019 EXOS Universal Port 1371

    9/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    The implementation of the policy sits in the switch and can

    differ based on the location and can be changed based on time.

    With this mechanism, security policies can follow the user as

    he roams around a campus. For example, an engineer can walk

    from Building 1 to Building 5, plug his PC into the network and

    authenticate. Based on that, he automatically receives certain

    access rights. In most cases, user-based really means user

    group-based. Most Security IT managers define groups of users

    with the same access rights. This makes management of rights

    easy. In our example, a user group would have the same profilename sent to the switch during authentication.

    The entire concept of user-based security profiles is integrated

    with device-based profiles. When a VoIP phone is connected to

    the network, a PC or laptop can connect to the network

    through a data port on that VoIP phone. This means the VoIP

    phone and the PC must be identified individually and both

    must be authenticated separately. This is known as true

    Multiple Supplicant support.

    Note: Some vendors use the term Multiple Supplicant

    without allowing separate authentication. These vendors simply blackhole the traffic of the second

    MAC address and do not let the second device pass

    authentication. Even worse, other vendors take a

    different approach and allow all traffic from any

    additional device through after the first device has

    been authenticated on a port, leaving the network

    wide open.

    In addition to separate authentication for the phone and the

    user via the PC, ExtremeXOS switches also support multiple

     VLAN assignment. Without multiple supplicant support with

    multiple VLANs, PCs have weak security in voice VLANs. The

    other option is not using the phone dataport.

    Note: MAC-based authentication can also be used to identify

    devices. For example, an entire MAC address or some

    bits of the MAC address can identify a device and

    perform switch port auto-configuration similar to the

    LLDP-based device detect event. The difference

    between this approach and LLDP authentication is

    that no information can be transmitted to that device.

    When authenticating to the network, user-based login can be

    combined with a timer trigger. Combining user authentication

    with time triggers puts different user policies in place based onthe time of day. Universal Port triggers are then used to modify

    the assignment and implementation of user-based security

    policies.

    Network Login

    Network Login is paramount when implementing dynamic

    security policies. ExtremeXOS software supports three

    different login methods integrated into the Universal Port:

    802.1x IEEE standards-based Login•

    Web-based Network Login•

    MAC-based Network Login•

     Any of these three methods can be enabled individually or

    combined to provide the smooth implementation of a

    secured network.

     

    802.1x IEEE Standards-based Login

    802.1x IEEE protocol is an edge port authentication

    protocol that requires a special client be installed on the

    system accessing the network.

    802.1x has been designed as a secure protocol that usesseveral different secure authentication techniques.

    ExtremeXOS software has been tested against most of

    these techniques, including MD5, PEAP, TLS and TTLS,

    and support password, as well as certificate-based authenti-

    cation. The most popular authentication method is

    probably Microsoft PEAP, using encrypted username/ 

    passwords.

    Web-based Network Login 

    Because not all devices use 802.1x, the ExtremeXOS

    operating system also supports web-based Network Login.

    Web-based login does NOT require any specific client sidesoftware (which 802.1x does). Instead web-based login

    uses standard built-in technologies on clients (DHCP and a

    web browser). Web-based login is an easy-to-deploy

    security mechanism for client devices.

     After opening a web browser, a user enters a userID/ 

    password pair for authentication. Extreme Networks

    switches redirect traffic to the Network Login welcome

    page. The login welcome page is configurable to allow a

    custom greeting or guest login information for network

    access via a dedicated guest VLAN. This type of login

    allows machines that are not under the control of an IT

    department to get network access.

    Note: Web-based Network Login is an excellent way to

    deploy 802.1x client software and certificates in a

    secure fashion on a port without opening up the

    network. Instead of installing 802.1x client software

    before turning on Network Login, users can log into

    the network via the web-based login, be redirected

    to an IT server to receive instructions on download-

    ing and installing an 802.1x client and any additional

    software. This process dramatically reduces the

    costs and complexity of a user authentication rollout

    in an IT network because installation can beoffloaded to the end user.

    Note: Beginning with ExtremeXOS Release 12.0, web-

    based Network Login welcome and authentication

    failure pages are completely user-configurable

    including custom graphics and advanced features

    such as Javascript code. ExtremeXOS Release 12.0

    supports any web technology that a client browser

    supports and does not require HTTP server-based

    actions.

  • 8/21/2019 EXOS Universal Port 1371

    10/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page

    Extreme Networks Configuration Guide

    MAC-based Network Login

    MAC-based Network Login can be used for devices that

    have no means of performing manual authentication or

    using certificates. Devices such as older VoIP phones,

    printers, IP camera or wireless access points can be

    authenticated using a MAC address. This allows for

    authentication enforcement on all edge ports on the

    network.

    This method provides more flexibility to the Universal Portnetwork login infrastructure. With MAC-based Network

    Login, edge authentication can be turned on at every single

    port, no matter what connects to the network.

    MAC-based Network Login can help protect ports that

    connect devices such as printers or older generation VoIP

    phones should someone walk up and unplug the device and

    gain access to the network. While not fully secure because

    of potential MAC spoofing, with MAC-based Network Login

    it becomes more complicated for people to hack into the

    network. In most cases this is sufficient when combined

    with physical access restrictions.

    Authentication Process

     A common network authentication architecture has three

    components, a supplicant, access device (switch, access

    point) and authentication server (RADIUS). This architec-

    ture leverages decentralized access devices to provide

    scalable, but computationally expensive, encryption to

    multiple supplicants while centralizing access control to a

    few authentication servers. This latter feature makes

    authentication manageable in large installations. Figure 2

    shows user authentication in a basic three component

    architecture.

    When Extensible Authentication Protocol (EAP) is run

    over a LAN, EAP packets are encapsulated by EAP over

    LAN (EAPOL) messages. (The format of EAPOL packets is

    defined in the 802.1x specification.) EAPOL communica-

    tion occurs between the end-user station (supplicant) and

    the wireless access point (authenticator). The RADIUS

    protocol is used for communication between the authenti-

    cator and the RADIUS server.

    The authentication process begins when the end user tries to

    connect to the LAN. The authenticator (Extreme Networks

    switch) receives the request and creates a virtual port withthe supplicant. The authenticator acts as a proxy for the

    end user passing authentication information to and from

    the authentication server on its behalf. The authenticator

    limits traffic to authentication data to the server. A

    negotiation takes place, which includes the following

    activities:

    Client sends an EAP-start message•

     Access device sends an EAP-request identity message•

    Client EAP-response packet with the client’s identity is•

    “proxied” to the authentication server by the authenticator

     Authentication server challenges the client to prove himself•

    and can send its credentials to prove itself to the client (if

    using mutual authentication)

    Client checks server’s credentials (if using mutual authenti-•

    cation) and then sends his credentials to the server to prove

    himself 

     Authentication server accepts or rejects the client’s request•

    for connection

    If the end user is accepted, the authenticator changes the•

     virtual port with the end user to an authorized state

    allowing full network access to the end user

     At log-off, the client virtual port is changed back to the•

    unauthorized state

    Multiple Universal Port profiles can be created on a switch,

    but only one Universal Port profile per event can be applied

    per port. Different profiles on the same port apply to

    different events; for example, different authentication

    events for different devices or users.

    When 802.1x is enabled on the switch port, the following

    sequence of events occurs when using an 802.1x and LLDP

    capable device:

    When a device is plugged in, the switch edge port1.

    sends an EAPOL start packet which triggers the device

    to start the 802.1x authentication process.

    In standard 802.1x terminology, the device is the2.

    supplicant, the switch is the authenticator, and

    Windows IAS or FreeRADIUS on Linux is the authenti-

    cation server. An exchange of keys occurs and device

    credentials are checked.

    5153-01

    RADIUS

    Summit Switch

    VoIP Phone

    Unauthorized

    Authorized

    EAPOL – Start

    EAP – Response/MD5, Challenge

    EAP – Request/Identity

    EAP – Success/Vendor Attributes

    EAP – Request/MD5, Challenge

    EAP – Response/Identity

    Figure 2: User Authentication Process

  • 8/21/2019 EXOS Universal Port 1371

    11/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

     After the device has been authenticated, the RADIUS3.

    server tells the switch which Universal Port scripts to

    use and the VLAN for the port. This data is passed

    using a VSA between the RADIUS server and the

    switch.

     After the switch recognizes the authentication event4.

    and the VSAs from the RADIUS server, the Universal

    Port script is triggered and the port is added to the

    correct VLAN. After the device has been authenti-

    cated, DHCP requests on the device are passed

    through the switch to the DHCP server.

    When the device has received an IP address, LLDP5.

    messages sent by the device are updated and device

    provisioning continues via the Universal Port script.

    The Universal Port script triggers and the device are6.

    configured along with any PoE settings for the port.

     A user either logs in or the switch sees a MAC address in

    the case of MAC-based Network Login. Then the switch, on

    the backend side, sends the RADIUS server identifying

    information (either the MAC address, a user name with

    password that has been entered in web-based NetworkLogin mode, or the 802.1x credentials that have been

    advertised from the client PC).

    802.1x uses EAP, an IETF standard. With a simple extrac-

    tion from EAP over Ethernet into EAP over RADIUS, the

    RADIUS server receives login credential information, looks

    up the credentialing information in the database, deter-

    mines whether the user or device does or does not have

    authorized access to the network, and responds back to the

    switch. If authenticated, the RADIUS server requests that

    the switch put the port in forwarding mode.

    The traffic sent down from the RADIUS server includes

     vendor-specific attributes. Most vendors support VLAN ID

    as a vendor specific attribute, (standards committees are

    currently trying to standardize which attributes to use

    instead of vendor-specific attributes). Extreme Networks

    goes one step further by providing security policy informa-

    tion during authentication, including names of policies and

    additional information that can be used within policies to

    narrow down network level access rights even further via

     ACLs and QoS. This process is accomplished in a single

    step without opening up the network, and without any

    dependency on an external policy server (that after login

    would apply a security policy).

    Note: The RADIUS server can be a proxy between RADIUS

    on the front end towards the switch and either

    LDAP or Active Directory on the backend. All

    popular RADIUS servers support this proxy mode.

    This is one way to integrate network level enforce-

    ment and security policies easily with application

    level enforcement such as user logins into business

    applications.

    How User Profiles Work

    In most cases, single users do not have individual user

    profiles. User profiles are normally assigned to user groups.

     As an example, a company like Extreme Networks may

    have security profiles for groups such as software engineer-

    ing, hardware engineering, marketing, sales, technical

    support, operations and executive. These kinds of catego-

    ries make profile management more streamlined and

    simple. However, in theory, profiles can be on a per-user

    basis.

     A user name and password, or credentials used with a

    smart card put into a PC with an identifying certificate, are

    sent into 802.1 xs. The switch authenticates with a RADIUS

    server which acts a centralized repository for security

    policies. The RADIUS server can be a proxy going to LDAP

    or to Active Directory to obtain credentials and the user

    policy assigned.

    The switch learns which security policies to assign to a port

     via RADIUS attributes in the authentication response. The

    RADIUS server embeds Vendor Specific Attributes (VSAs),in the RADIUS packet sent back after a successful authen-

    tication. Extreme Networks has vendor specific attributes

    that identify the name of the security policy as well as

    ExtremeXOS script variables that provide profile

    information.

    For example, an additional variable can be added to a

    generic profile for software engineering for five designated

    engineers. The variables give these engineers access to a

    specific additional application. This method minimizes the

    number of profiles to be maintained and also increases

    implementation flexibility.

    User profiles can also be used for devices that do not

    support LLDP. This method still performs switch port

    auto-configuration for voice VLAN, configures QoS, and

    provides VoIP auto configuration. However, with this

    method, the device does not receive configuration informa-

    tion and must rely on other mechanisms, usually DHCP

    using option fields, to receive information such as file and

    communication server addresses, QoS and VLAN settings.

    Figure 3 illustrates how user profiles are managed. There

    are two aspects shown in the illustration, the Preparation

    phase, which typically happens only occasionally when anew network is rolled out or profiles are updated, and the

    Operation phase for ongoing operations.

  • 8/21/2019 EXOS Universal Port 1371

    12/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    Because policy implementation can be change from port to

    port, Universal Port allows for location-based policies (for

    example, a restricted area). Integration with a timer event

    provides time-based policies, such as disabling wireless

    access after business hours.

    Note: VoIP phones are also capable of being authenticated

    before being allowed on the network. The phone

    begins 802.1x authentication based on a personal

    username and password. This authentication step isavailable and supported by the latest firmware from

     vendors such as Avaya and Mitel.

      This early authentication step protects the network

    from spoofing attacks that can occur if authentica-

    tion is not performed before advertising who is

    there. This method is much more secure than

    unauthenticated CDP. Universal Port uses 802.1x-

    authenticated LLDP

    Time Timers implement Time-of-Day profiles that can have various

    applications. For example, these profiles can be used to disable

    guest VLAN access after business hours, shut down a wireless

    service or power down a port. “Access point being powered

    down” can apply to a given time of the day or over a time span.

     

    Time-of-Day profiles are flexible and are not limited to just

    dynamic profile CLI commands. Time-of-Day profiles can use

    any command in the ExtremeXOS CLI, as long as it is under-

    stood that the change is permanent. This feature allows timed

    backups for configurations, policies, statistics, etc. Anything

    that needs to happen on a regular basis or at a specific timecan be incorporated into a Time-of-Day profile.

    Figure 4 shows a simple example of how to do a periodic

    configuration upload once an hour. To execute the upload, a

    profile is created that includes a CLI command for uploading to

    a specific address with a file name. This profile is attached to a

    timer using the command create upm timer. The profile is then

    linked to the timer and the timer is configured with the correct

    time values and intervals.

    Preparation

    The administrator pushes out profiles and assigns profiles

    to edge ports. Preparation is often performed using theEPICenter Universal Port Manager; however, preparation

    can be done manually through the CLI, switch by switch.

    Operation

    The Operation phase begins when the user logs onto the

    network. The switch passes the information up to the

    RADIUS server, the RADIUS server sends down the name

    of the policy as well as any additional ExtremeXOS variable

    settings or information in the user profile. This allows the

    switch to move the port into the correct VLAN (for

    example an Engineering VLAN), configure ACLs to specific

    servers or to specific application types such as enabling

    CVS access, or configure port interface speed as well as

    QoS for that port.

    Network Login enforces authentication before granting

    access to the network. All packets sent by a client on the

    port do NOT go beyond the port into the network until

    authentication using a RADIUS server occurs. In many

    cases, the RADIUS server interacts with a central data

    repository for user authentication such as Active Directory

    or an LDAP directory without putting the burden of the

    LDAP protocol into the network infrastructure. As a

    fallback for mission critical devices, an authentication

    database local to the switch can be used as well.

    Dynamic user policies can include rate-limiting, QoS and

    dynamic ACLs. These attributes are applied immediately

    during the authentication process, with no dependency on

    external second-step policy managers, instead using a

    central repository (RADIUS or LDAP / Active Directory).

    Dynamic security policies are activated and deactivated

    based on authentication when users connect or disconnect

    from the network.

    Administrator configures user group policies

    (VLAN, ACLs, por t speed, Dot1p priority, etc.)

    then maps policies to user groups

    Administrator pushes

    policies to switch

    User logs on to the network

    RADIUS server pushes

    user group via Vendor

    Specific Attributes (VSA)

    Administrator

    EPICenter Server

    13

    4

    Switch configures VLAN,

    ACLs, port speed, Dot1p

    priority . . . on the port

    5

    2

    User

    RADIUS Server         `

    Preparation Operation

    5118-01

    Figure 3: User-based Login

    XXXX-01

    Create upm profile

    Create upm timer

    Configure upm timer profile

    Configure upm timer every 3600

    Figure 4: Example of Periodic Configuration

  • 8/21/2019 EXOS Universal Port 1371

    13/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    Trigger Events

    There are seven trigger events that activate a Universal Port

    profile. Table 1 summarizes these trigger events.

    Table 1: Trigger Events

    Device-detect and Device-undetect events are triggered by

    an LLDP packet when it reaches the port and when periodical-

    ly transmitted LLDP packets are no longer received respective-

    ly. LLDP age-out occurs when a device has disappeared or

    age-out time has been reached.

    User-Authenticated and User-Unauthenticated  events are

    triggered by any Network Login mechanism. Successful login

    triggers the User-Authenticated event and either explicit

    logout or sessions timing out trigger the User-Unauthenticated

    event.

    MAC-based authentication requires no interaction from the

    user. 802.1x authentication requires 802.1x client software on

    the device.

    Timer-AT and Timer-AFTER events can be set to a specific

    time of the day or a periodic event, for example, one-time after

    15 minutes or at 1 hour intervals.

    The User-Request trigger is a manual request by an adminis-

    trator via CLI command to trigger a static or a dynamic profile.

    To trigger a dynamic profile, information for a particular event

    must be supplied. To trigger a device profile, information

    normally provided via LLDP must be provided. With

    ExtremeXOS 12.0, this capability is also available via XML and

    is used by the EPICenter Universal Port Manager when

    activating a profile from the EPICenter GUI.

    Trigger Condition

    Device-Detect Specific device detected by the system,

    usually receipt of an LLDP packet into

    the port. Profile configures the port forthe device.

    Device-Undetect Specific device is no longer present or an

    LLDP timeout has occurred. Port

    properties return to a base state through

    a profile.

    User-Authenticated Specific user authenticated profile

    configures the port for the user.

    User-Unauthenticated Specific authenticated user has been

    unauthenticated. Port properties return

    to a base state through a profile.

    Timer-AT Timer schedule to occur AT a specified

    time has occurred

    Timer-AFTER Timer schedule to occur AFTER a

    specified time has occurred. Can be a

    one-time occurrence or can be

    reoccurring.

    User-Request Profile was triggered remotely by the

    administrator through the CLI.

  • 8/21/2019 EXOS Universal Port 1371

    14/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    4. Universal Port Commands and Variables

    Commands

    Several commands were added to the ExtremeXOS operating system to expand the scripting capabilities for Universal Port.

    Command Modes

    CLI commands are set to non-persistent mode by default when executing dynamic profiles.

    To configure persistent command execution, enter the following command:

    congure cli mode persistent

    To configure non-persistent command execution, enter the following command:

    congure cli mode non-persistent

    Universal Port Command Summary

    The following command summary lists Universal Port CLI commands with command syntax. For complete command descriptions,

    refer to the ExtremeXOS 12.0 Command Reference Guide.

    Note: The CLI uses upm as an abbreviation for Universal Port management to indicate a Universal Port command. Do NOT

    confuse this abbreviation with the EPICenter Universal Port Manager.

    Command Syntax

    configure upm event Congure upm event prole

  • 8/21/2019 EXOS Universal Port 1371

    15/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    Universal Port Variables

    CLI scripting must be enabled before composing or executing a script.

    Universal Port uses CLI scripting variables to make system and trigger event information available to profiles. In addition,

    user-defined variables can be created, but are limited to the current context unless explicitly saved. Saving variables allows

    certain data from one profile to be reused in another profile for a different event, for example, between login and logout events,

    the data necessary to perform rollback for a port configuration can be shared.

    Common Variables for all Profiles

    Variables for Device Detect Profiles

    Variables for User Authentication Profiles

    $STATUS Status of last command execution

    $CLI.USER UserName of user executing this CLI

    $CLI.SESSION_ID An identifier for this session. This identifier will be available for the roll-back event when a device

    or user times out.

    $CLI.SESSION_TYPE Type of user session

    $EVENT.NAME Event that triggered this profile

    $EVENT.PROFILE Name of the profile currently being run

    $EVENT.TIME Time the event occurred, in seconds since epoch

    $EVENT.TIMER_TYPE Periodic or Non_periodic

    $EVENT.TIMER_DELTA_SECS Time difference between timer firing and time actual shell was run in seconds

    $EVENT.DEVICE Device identification string

    $EVENT.DEVICE_IP IP address of the device (if available). Blank if not available

    $EVENT.DEVICE_MAC MAC address of device (if available). Blank if not available

    $EVENT.DEVICE_POWER Device power in milliwatts (if available). Blank if not available.$EVENT.DEVICE_MANUFACTURER_NAME Manufacturer name

    $EVENT.DEVICE_MODEL _NAME Device model

    $EVENT.USER_PORT Port associated with this event

    $EVENT.USERNAME Name of user authenticated. This is a string with the MAC address for MAC-based user login

    $EVENT_NUMUSERS Authenticated supplicants on the port after event occurred

    $EVENT.USER_MAC MAC address of the user

    $EVENT.USER_PORT Port associated with this event

    $EVENT.USER_VLAN VLAN associated with this event

    $EVENT.USER_IP IP address of the user if applicable, else blank

  • 8/21/2019 EXOS Universal Port 1371

    16/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    5. Configuration Process

    There are two ways to configure the Universal Port for both static and dynamic profiles.

    Command Line Interface (CLI)•

    EPICenter Universal Port Manager•

    This section discusses the configuration requirements and configuration sequence for device detection, user authentication, and

    timer events using the ExtremeXOS CLI. A step-by-step configuration process using the Universal Port Manager follows in

    Section 6.

    Configuration for Device Detection

    Configuration Requirements

    Basic configuration requirements for Device Detection via the Universal Port include the following network components.

    ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•

     Appropriate firmware for devices•

    PoE switches for PoE devices•

    DHCP server•

    Configuration Sequence

    The sequence of events used to configure the Universal Port for device detection is listed below.

    Create the VLAN for the VoIP network.1.

    Create the Universal Port profile for Device-Detect on the switch.2.

    Create the Universal Port profile for Device-Undetect on the switch.3.

     Assign the Device-Detect profile to the edge ports.4.

     Assign the Device-Undetect profile to the edge ports.5.

     Verify that correct profiles are assigned to correct ports.6.

    Enable LLDP message advertisements on the ports assigned to Universal Ports.7.

     Verify configuration.8.

    Example

    1: Configure VLAN

    SummitX450-48p # create vlan voice

    SummitX450-48p # congure voice ipaddress 192.168.0.1/24

    2: Create Universal Port profile to be triggered by a Device-Detect Event

    X450e-24p.2 # create upm prole detect-voip

    Start typing the profile and end with a . as the first and the only character on a line.

    Use - edit upm prole  - for block mode capability

    create log entry Starting_Script_DETECT-voip

    set var callServer 192.168.10.204

    set var leServer 192.168.10.194

    set var voiceVlan Voice

    set var CleanupProle CleanPort

    set var sendTraps false

    #

    create log entry Starting_DETECT-VOIP_Port_$EVENT.USER_PORT

  • 8/21/2019 EXOS Universal Port 1371

    17/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    #**********************************************************

    # adds the detected port to the device “unauthenticated” prole port list

    #**********************************************************

    create log entry

    Updating_UnDetect_Port_List_Port_$EVENT.USER_PORT

    congure upm event Device-UnDetect prole CleanupProle ports $EVENT.USER_PORT

    #**********************************************************

    # adds the detected port to the proper VoIP vlan

    #**********************************************************congure $voiceVlan add port $EVENT.USER_PORT tag

    #**********************************************************

    # Congure the LLDP options that the phone needs

    #**********************************************************

    congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server

    $callServer

    congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server $leServer

    congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tagged

    congure lldp port $EVENT.USER_PORT advertise vendor-specic med capabilities

    #congure lldp port $EVENT.USER_PORT advertise vendor-specic med policy application voice vlan

    $voiceVlan dscp 46

    #**********************************************************

    # Congure the POE limits for the port based on the phone requirement

    #**********************************************************

    # If port is PoE capable, uncomment the following lines

    congure lldp port $EVENT.USER_PORT advertise vendor-specic med power-via-mdi

    congure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT

    create log entry Script_DETECT-

    phone_Finished_Port_$EVENT.USER_PORT

    X450e-24p.3 #

    3: Create the Device-UnDetect Universal Port profile

    * X450e-24p.3 # create upm prole clearports

    Start typing the profile and end with a . as the first and the only character on a line.

    Use - edit upm prole  - for block mode capability

    create log entry

    STARTING_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT

    #congure $voiceVlan delete port $EVENT.USER_PORT

    uncongure lldp port $EVENT.USER_PORT

    create log entry LLDP_Info_Cleared_on_$EVENT.USER_PORT

    #uncongure upm event device-undetect prole avaya-remove ports $EVENT.USER_PORT

    uncongure inline-power operator-limit ports

    $EVENT.USER_PORT

    create log entry POE_Settings_Cleared_on_$EVENT.USER_PORT

    create log entry

    FINISHED_UPM_Script_CLEARPORT_on_$EVENT.USER_PORT

    .

    * X450e-24p.4 #

  • 8/21/2019 EXOS Universal Port 1371

    18/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    4: Assign the device-detect profile to the desired edge ports

    * X450e-24p.8 # cong upm event device-detect prole detect-voip ports 1-10

    5: Assign the device-undetect profile to the desired edge ports

    X450e-24p.9 # cong upm event device-undetect prole clearports ports 1-10

    * X450e-24p.10 #

    6: Check that the Universal Port profiles are assigned correctly

    * X450e-24p.10 # show upm prole

    =============================================================

    UPM Prole Events Flags Ports

    =============================================================

    clearports Device-Undetect e 1-10

    detect-voip Device-Detect e 1-10

    ===========================================================

    Number of UPM Proles: 2

    Flags: d - disabled, e - enabled

    * X450e-24p.11 #

    7: Enable LLDP on the ports

    * X450e-24p.11 # enable lldp ports 1-10

    8: Verify configuration

    Plug the device in the port and test. The following commands can be used to help ensure that everything works correctly.

    show lldp

    show lldp neighbors

    show upm history

    show upm history detail

    show log match upm

    Configuration for User Login

    Configuration Requirements

    Basic configuration requirements for User login and authentication include the following network components:

    ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•

    RADIUS server for user authentication and VSA transmission•

     Appropriate firmware for devices•

    PoE switches for PoE devices•

    DHCP server•

    TFTP server (for VoIP applications)•

    Call Server (for VoIP applications)•

    Configuration Sequence

    The sequence of events used to configure the Universal Port for user authentication is listed below.

    Configure RADIUS server for userID and password pair.1.

    Define the Extreme custom VSAs on RADIUS.2.

     Add the switch as an authorized RADIUS client.3.

  • 8/21/2019 EXOS Universal Port 1371

    19/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    Create the Universal Port profile for User-Authenticate on the switch.4.

    Create the Universal Port profile for User-Unauthenticate on the switch.5.

    Configure RADIUS on the edge switch.6.

    Configure Network Login on the edge switch.7.

     Assign the create user-authenticate profile to the desired edge port.8.

     Assign the create user-unauthenticate profile to the desired edge port.9.

    Check that the correct profiles are assigned to the correct ports.10.

    Enable LLDP message advertisements on the ports.11.

    Test the setup.12.

    Example

    1: Configure the RADIUS server for the userID and password pair

    For FreeRADIUS, edit the users file located at /etc/raddb/users 

    #Sample entry of using an individual MAC addresses

    00040D50CCC3 Auth-Type := EAP, User-Password == “00040D50CCC3”

    Extreme-Security-Prole = “phone LOGOFF-PROFILE=clearport;”,

      Extreme-Netlogin-VLAN = Voice

    #Sample entry of using wildcard MAC addresses (OUI Method)

    00040D000000 Auth-Type := EAP, User-Password == “1234”

    Extreme-Security-Prole = “phone LOGOFF-PROFILE=clearport;”,

      Extreme-Netlogin-VLAN = Voice

    #Sample entry of using numeric UserID and password

    10284 Auth-Type := EAP, User-Password == “1234”

    Extreme-Security-Prole = “voip LOGOFF-PROFILE=voip”,

      Extreme-Netlogin-Vlan = Voice

    #Sample entry of using a text UserID and password

    Sales Auth-Type := EAP, User-Password == “Money”

    Extreme-Security-Prole = “Sales-qos LOGOFF-PROFILE=Sales-qos”,

      Extreme-Netlogin-Vlan = v-sales

    2: Define the Extreme custom VSAs on RADIUS

    For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary  to include the following details:

    VENDOR Extreme 1916

    ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme

    ATTRIBUTE Extreme-Shell-Command 202 string Extreme

    ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme

    ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme

    ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme

    ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme

    ATTRIBUTE Extreme-User-Location 208 string Extreme

    ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme

    ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme

    ATTRIBUTE Extreme-Security-Prole 212 string Extreme

    VALUE Extreme-CLI-Authorization Disabled 0

    VALUE Extreme-CLI-Authorization Enabled 1

    VALUE Extreme-Netlogin-Only Disabled 0

    VALUE Extreme-Netlogin-Only Enabled 1# End of Dictionary

  • 8/21/2019 EXOS Universal Port 1371

    20/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 1

    Extreme Networks Configuration Guide

    3: Add the switch as an authorized client of the RADIUS server

    For FreeRADIUS, edit the clients.conf file located at //etc/raddb/clients.conf  to include the switches as details:

    client 192.168.10.4 {

      secret = purple

      shortname = x450e-24p

    # End of clients.conf

    4: Create the Universal Port profile for User-Authenticate

    * X450e-24p.1 # create upm prole phone

    Start typing the profile and end with a . as the first and the only character on a line.

    Use - edit upm prole  - for block mode capability

    create log entry Starting_Script_Phone

    set var callServer 192.168.10.204

    set var leServer 192.168.10.194

    set var voiceVlan Voice

    set var CleanupProle clearport

    set var sendTraps false

    #

    create log entry Starting_AUTH-VOIP_Port_$EVENT.USER_PORT

    #******************************************************

    # Congure the LLDP options that the phone needs

    #******************************************************

    congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme call-server $callServer

    congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme le-server $leServer

    congure lldp port $EVENT.USER_PORT advertise vendor-specic avaya-extreme dot1q-framing tagged

    congure lldp port $EVENT.USER_PORT advertise vendor-specic med capabilities

    create log entry UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT

    .

    X450e-24p.2 #

    5: Create the Universal Port profile for User-Unauthenticate on the switch

    * X450e-24p.1 # create upm prole clearport

    Start typing the profile and end with a . as the first and the only character on a line.

    Use - edit upm prole  - for block mode capability

    create log entry STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT

    uncongure lldp port $EVENT.USER_PORT

    create log entry LLDP_Info_Cleared_on_$EVENT.USER_PORT

    uncongure inline-power operator-limit ports $EVENT.USER_PORT

    create log entry POE_Settings_Cleared_on_$EVENT.USER_PORT

    create log entry FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT

    .

    * X450e-24p.2 #

  • 8/21/2019 EXOS Universal Port 1371

    21/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    6: Configure RADIUS on the edge switch

    * X450e-24p.4 # cong radius primary server 192.168.11.144 client-ip 192.168.10.4 vr VR-Default

    * X450e-24p.5 # cong radius primary shared-secret purple

    7: Configure Network Login on the edge switch (802.1x)

    * X450e-24p.7 # create vlan nvlan

    * X450e-24p.8 # cong netlogin vlan nvlan

    * X450e-24p.9 # enable netlogin dot1x* X450e-24p.10 # enable netlogin ports 11-20 dot1x

    * X450e-24p.11 # cong netlogin ports 11-20 mode mac-based-vlans

    * X450e-24p.12 # enable radius netlogin

    OR

    Configure Network Login on the edge switch (MAC-based or OUI method)

    * X450e-24p.7 # create vlan nvlan

    * X450e-24p.8 # cong netlogin vlan nvlan

    * X450e-24p.9 # enable netlogin mac

    * X450e-24p.10 # cong netlogin add mac-list 00:04:0D:00:00:00 24 1234* X450e-24p.11 # enable radius netlogin

    8: Assign the create user-authenticate profile to the edge port

    * X450e-24p.6 # congure upm event user-authenticate prole “phone” ports 11-20

    * X450e-24p.7 #

    9: Assign the create User-unauthenticate profile to the edge port

    * X450e-24p.7 # congure upm event user-unauthenticated prole “clearport” ports 11-20

    * X450e-24p.8 #

    10: Check that correct profiles are assigned to correct ports

    * X450e-24p.8 # show upm prole

    ===========================================================

    UPM Prole Events Flags Ports

    ===========================================================

    phone User-Authenticated e 11-20

    clearport User-Unauthenticated e 11-20

    ===========================================================

    Number of UPM Proles: 5

    Flags: d - disabled, e - enabled

    * X450e-24p.9 #

    11: Enable LLDP message advertisements on the ports

    * X450e-24p.9 # enable lldp ports 11-20

    12: Test the setup

  • 8/21/2019 EXOS Universal Port 1371

    22/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    Configuration for Time-of-day Profiles

    Configuration Requirements

    Basic configuration requirements for time profiles include

    ExtremeXOS 11.6 or later (if using the EPICenter Management Platform, ExtremeXOS 12.0 is required)•

    Configuration Sequence

    The sequence of events used to configure the Universal Port for Time-of-Day profiles is listed below.

    1. Create the Universal Port profile

    2. Create the timer trigger

    3. Assign the timer to the profile

    4. Configure the timer

    Example

    1: Create the Universal Port profile

    For FreeRADIUS, edit the users file located at /etc/raddb/users

    * X450e-24p.1 # create upm prole eveningpoe

    Start typing the profile and end with a . as the first and the only character on a line.

    Use - edit upm prole - for block mode capability

    create log entry Starting_Evening

    disable inline-power ports 1-20

    .

    *X450e-24p.2

    2: Create the Universal Port timer

    *X450e-24p.3 # create upm timer night

    3: Assign the timer to the profile

    *X450e-24p.4 # cong upm timer night prole nightpoe

    4: Configure the Timer

    *X450e-24p.5 # cong upm timer night at 7 7 2007 19 00 00 every 86400

  • 8/21/2019 EXOS Universal Port 1371

    23/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    6. Universal Port Manager

    The Universal Port Manager is a component available with the Advanced Upgrade of the EPICenter management platform

    designed to manage the Universal Port feature across the entire network.

    To open the Universal Port Manager component of EPICenter, click on the Profiles button on the left side of the EPICenter GUI.

    See Figure 5.

    The Universal Port Manager screen is organized into three functional areas, each accessed by a tab. See Figure 6.

    Network Profiles

    Used to view, enable-disable, edit, run and delete profiles.•

    Used to change profile trigger events or port configurations on switches.•

    Managed Profiles

    Used to import-export, create, view, edit, save, delete, test and deploy profiles.•

    Audit Log

    Used to examine profile actions on network devices and redeploy profiles.•

    Figure 5: EPICenter GUI

  • 8/21/2019 EXOS Universal Port 1371

    24/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    Note: The EPICenter Inventory Manager can be used to create and manage large device groups to facilitate profile manage-

    ment for large networks. Port groups, created by the EPICenter Grouping Manager, can also be managed by the

    EPICenter Inventory Manager.

    Configuration

    Configuration Requirements

    ExtremeXOS 12.0 or later•

    HTTP or HTTPS must be enabled on the device•

    Enable web http

    Configuration Sequence

    The sequence of events to create and deploy a Universal Port profile is listed below.

    Create a new profile or customize an existing profile.1.

    Save the profile in EPICenter.2.

    Test the profile on a device.3.

    Deploy and enable the profile on the devices, device group or port group. (The profile is now saved on the switch.)4.

    Track profile status.5.

    Modify network or redeploy profiles as required.6.

    Note: Extreme Networks provides pre-packaged Universal Port Modules which incorporate specialized scripts to configure

    edge ports with automatic discovery, configuration and provisioning. For example, the Handset Provisioning Module

    provides specialized scripts for multi-vendor IP Telephony devices. Refer to section on modifying templates.

    Figure 6: Universal Port Manager Screen

  • 8/21/2019 EXOS Universal Port 1371

    25/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    Create New Profile

    Use the following procedure to create a new profile.

    1. Access the Managed Profiles view and click the New button. See Figure 7.

    Figure 7: Select New Profile

  • 8/21/2019 EXOS Universal Port 1371

    26/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    2. The New Profile window appears. See Figure 8. This window has two tabs, Overview and Script View. Select the Script

     View tab.

    Figure 8: New Profile Window

  • 8/21/2019 EXOS Universal Port 1371

    27/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

     

    3. The ScriptView tab is where the profile is edited or created. The Profile editor contains three lines of metadata.

    Enter a description for the profile after # @ScriptDescription. Then enter variable description field using

    # @VariableFieldLabel and variable definitions using set var. All of this should be done before

    # @MetaDataEnd. See Figure 9 for an example populated with variables.

    Figure 9: Script Tab View of Profile Editor

  • 8/21/2019 EXOS Universal Port 1371

    28/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    4. Select the Overview tab to verify description and variables. The Overview tab can be accessed anytime during profile

    scripting to check accuracy of variables. See Figure 10.

    Figure 10: Overview Tab

  • 8/21/2019 EXOS Universal Port 1371

    29/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    5. Return to the Script View tab and enter the body of the script. Figure 11 shows an example block of script to add an

    action to the profile.

    6. Click the Save Changes button at the bottom of the screen.

    Figure 11: Example Script

  • 8/21/2019 EXOS Universal Port 1371

    30/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 2

    Extreme Networks Configuration Guide

    7. The Save Profile As … window appears. See Figure 12. Enter a profile name and version, then click the Save button.

    Figure 12: Save Profile As... Window

  • 8/21/2019 EXOS Universal Port 1371

    31/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    Test the Profile

    8. The Script View tab reappears. To test the profile, click the Test button at the bottom of the screen. See Figure 13.

    Figure 13: Test Button

  • 8/21/2019 EXOS Universal Port 1371

    32/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    9. A window appears to select trigger events. At the Run profile at: area, select Other trigger events. Then select the

    appropriate trigger and click the Next button. See Figure 14.

    Figure 14: Select Trigger Events Window

  • 8/21/2019 EXOS Universal Port 1371

    33/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    10. A window appears to select the method for a device search (switches), individually or as a group. See Figure 15. Select

    search method and click Next.

    Figure 15: Select Type of Device Search Window

  • 8/21/2019 EXOS Universal Port 1371

    34/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    11. A window appears with a list of available devices or device groups on which to test the profile. A device list appears if

    specified in the preceding window or a list of device groups if specified. See Figure 15. In the security_video example,

    Devices (individual devices) was selected so Figure 16 shows a list of devices on which to test the profile script.

      Select the devices or device groups for the test and click Next.

    Note: Extreme Networks recommends using one device (switch) for profile testing.

    Figure 16: Select Device Window

  • 8/21/2019 EXOS Universal Port 1371

    35/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    12. A window appears to select ports on which to test the profile. See Figure 17. Select ports and click Next.

    Note: Extreme Networks recommends testing on a single port.

    Figure 17: Select Ports Window

  • 8/21/2019 EXOS Universal Port 1371

    36/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    13. A window appears to verify the testing configuration. Check switch and port numbers. If correct, click the Validate 

    button. See Figure 18. If not correct, click the Back button to change selections.

    Figure 18: Profile Test Validation Window

  • 8/21/2019 EXOS Universal Port 1371

    37/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    14. A similar window appears indicating whether the profile validation was successful. See Figure 19. Click Next to test

    profile on the switch.

      If profile was not validated, access the Script View tab and debug

    Figure 19: Validation Results Window

  • 8/21/2019 EXOS Universal Port 1371

    38/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    15. A window appears indicating that profile has been deployed for testing. See Figure 20. Select the Trigger Event from the

    pull-down menu. Click the Save and Run button.

    Figure 20: Test Deployment Window

  • 8/21/2019 EXOS Universal Port 1371

    39/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    16. A rotating set of small blue squares appears in the Test Results panel during testing. After testing is complete, a success

    or failure message appears. See Figure 21. If the profile has been successfully deployed and tested on the switch, click the

    Close button.

    Figure 21: Test Results Window

  • 8/21/2019 EXOS Universal Port 1371

    40/59Extreme Networks Confidential and Proprietary © 2007 Extreme Networks, Inc. All rights reserved. ExtremeXOS Universal Port Configuration Guide — Page 3

    Extreme Networks Configuration Guide

    Deploy the Profile

    17. The profile is now on the Managed Profiles tab. See Figure 22. Select the script profile (highlighted when selected) to

    deploy the profile to the network. Click the Deploy  button on the top right of the window.

    Figure 22: Profile Test Validation Window